Introduction

What is 28 CFR Part 23 and who needs to comply with it?

28 Code of Federal Regulations (CFR) Part 23 (28 CFR Part 23) is a U.S. Department of Justice regulation—issued in 1980, updated in 1993, and clarified in 1998—that governs the operation of interjurisdictional and multijurisdictional criminal intelligence systems that are operated by and principally for the benefit of state, local, tribal, or territorial law enforcement agencies. If a project is supported with funding under the Omnibus Crime Control and Safe Streets Act of 1968, as amended (Safe Streets Act), or is required to comply by grant special condition (High Intensity Drug Trafficking Areas) or state law (Texas) then it must comply with the regulation.

Why be 28 CFR Part 23-compliant?

28 CFR Part 23 has become the de facto national standard for criminal intelligence information sharing. The National Criminal Intelligence Sharing Plan (NCISP) recommends use of the regulation to ensure that the submission/collection, use, access, storage, and dissemination of criminal intelligence information by intelligence projects and member or participating law enforcement and homeland security agencies conform to sound practices that protect the privacy and constitutional rights of individuals and organizations—regardless of whether the criminal intelligence system is subject to the regulation.

What are a “criminal intelligence system” and a “criminal intelligence project”?

A “criminal intelligence system” provides a way to receive, store, and share or exchange criminal intelligence information (and other information and intelligence). According to 28 CFR Part 23, a criminal intelligence system includes the facilities, equipment, agreements, and procedures used for the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence. Most intelligence projects have established an electronic database to store and share criminal intelligence. Other agencies participate in a criminal intelligence project, such as one of the six Regional Information Sharing Systems (RISS) Centers, which operates a criminal intelligence database. The regulation defines a “criminal intelligence project” as either “the organizational unit which operates an intelligence system on behalf of or for the benefit of a single agency or the organizational unit which operates an interjurisdictional intelligence system on behalf of a group of participating agencies.” The project typically manages the criminal intelligence system. Most criminal intelligence databases are “pointer index” systems containing subject and crime identification information (structured), while others are narrative or report-based (unstructured) criminal intelligence databases. 28 CFR Part 23 applies to both types of databases.

What is “criminal intelligence information”?

“Criminal intelligence information” is data that has been evaluated (analyzed) to determine that it: (1) is relevant to the identification of and the criminal activity engaged in by an individual who or organization that is reasonably suspected of involvement in criminal activity; and (2) meets criminal intelligence system submission criteria. It is information that is developed from data gathered by investigators and analysts. Criminal intelligence, because it has undergone some form of evaluation or analysis, indicates to law enforcement that the subject is likely to be involved in some definable criminal activity. It is more than separate pieces of information that by themselves mean nothing but which, taken together, show an investigator or analyst something about the subject’s criminal involvement.

For example, when an investigator analyzes information and determines that there is “reasonable suspicion” that a subject (whether an individual or an organization, such as a gang business) is reasonably suspected of being involved in a definable criminal activity or enterprise, that information qualifies as criminal intelligence and may be stored in a criminal intelligence database and disseminated as criminal intelligence information.

Who is mandated to take the 28 CFR Part 23 online training course?

No agency or individual is required to take the on-line course unless required to do so as a matter of agency policy. The regulation requires participating agencies, if certain responsibilities are delegated to them, to be properly trained. To satisfy this requirement, many intelligence projects require that individuals who will access or receive criminal intelligence information take the course as a prerequisite to accessing or receiving criminal intelligence information from the system.

Are there any other Web sites that allow you to obtain the 28 CFR Part 23 online training course certification or just the Bureau of Justice Assistance (BJA) Web site?

Applicability and Scope of 28 CFR Part 23

Does 28 CFR Part 23 apply to both state and local law enforcement agencies?

28 CFR Part 23 applies to state, local, tribal, or territorial agencies if they are operating interjurisdictional or multijurisdictional criminal intelligence systems that are supported with Crime Control Act funding. For participating or member agencies, the intelligence project’s operating policies, as set forth in a participation or membership agreement, govern their submission, access, use, retention/destruction, and any third-party dissemination of criminal intelligence information received from the intelligence project.

Are internal intelligence databases subject to 28 CFR Part 23 if the information is not being disseminated outside of the agency?

No, an internal (meaning information in the system cannot be disseminated outside the agency in any manner and under any circumstances) criminal intelligence information system, even if it is supported with Crime Control Act funds, is not subject to the regulation.

What are the specific state and federal criteria to be compliant with the regulation?

The regulation provides the minimum operating principles and funding guidelines that a project must incorporate into its operating policies and procedures in order to comply with the regulation. Additional (or more restrictive) state, local, tribal, or territorial agency criteria can also be provided in project operating policies and procedures, provided they are consistent with the regulation.

What are the rules for including criminal versus noncriminal intelligence information into an intelligence database?

Criminal intelligence information records/files entered into a criminal intelligence database are generally limited to pointer information designed to identify the criminal subject and his or her criminal activity. Unless entry is otherwise prohibited (such as information that is illegally obtained, irrelevant, identifies a noncriminal individual or organization unless entered and identified as noncriminal identifying information, or otherwise subject to civil liberties/civil rights protection), any information that is relevant to the identification of the criminal subject and the criminal activity can be entered into an information field (structured data) or a free-text narrative (unstructured data).

What is the difference between “intelligence” generally and “criminal intelligence information”?

Criminal intelligence information subject to 28 CFR Part 23 is analyzed information related to an identified criminal subject and the definable criminal activity that the subject is reasonably suspected of being involved in. Other types of intelligence include tactical intelligence (a deconfliction system is used to help make tactical decisions); strategic intelligence, which may be associated with crime analysis activities and long-term planning; and operational intelligence, including criminal intelligence information and other types of evaluated data housed in a variety of law enforcement systems.

Are crime and intelligence bulletins subject to 28 CFR Part 23?

A crime bulletin is generally a distillation of fact-based information and is not subject to 28 CFR Part 23. An intelligence bulletin is an “intelligence product” because it is based on the evaluation/analysis of information. Dr. David Carter, in Law Enforcement Intelligence: A Guide for State, Local, and Tribal Law Enforcement Agencies (2nd Ed., 2009), defines the term “intelligence product” as “reports or documents that contain assessments, forecasts, associations, links, and other outputs from the analytic process that may be disseminated for use by law enforcement agencies for prevention of crimes, target hardening, apprehension of offenders, and prosecution.” However, an intelligence bulletin is only subject to 28 CFR Part 23 if it identifies a criminal subject based on a criminal intelligence information record/file.

There are no established or required SOPs for criminal intelligence systems. Rather, the regulation provides a policy framework (sometimes referred to as a guideline or guidelines) that intelligence projects use to guide them in establishing their own operating policies and procedures (sometimes referred to as SOPs). Each Regional Information Sharing Systems (RISS) project, for example, has its own unique set of bylaws and operating policies and procedures (though all operate under common Bureau of Justice Assistance Program Guidance and overall RISS policies).

What types of data are covered and what is not covered under 28 CFR Part 23?

Only criminal intelligence records that meet the reasonable suspicion criteria and other 28 CFR Part 23 operating principles and are shared between agencies by an intelligence project are subject to the regulation. Fact-based or uncorroborated information (case investigative files, case management systems, incident/offense reports, field interview cards or contact files, criminal history records, arrest blotters, records management system [RMS] data, tips and leads, Suspicious Activity Reports [SARs], etc.) and other types of information or intelligence gathered/collected and shared by state, local, tribal, or territorial law enforcement and intelligence agencies are not subject to 28 CFR Part 23.

An investigator, for example, might start the process of developing a criminal case using the information contained in a tips and leads file. Investigating the tips and leads information could produce adequate information that, when analyzed, meets the reasonable suspicion standard. If it meets the reasonable suspicion standard, a record on that subject could be entered into a criminal intelligence database. The information from the tips and leads file, as well as any other investigative information gathered, would need to be kept as supporting documentation for that record.

Is an agency authorized to archive digital synopsis sheets of suspects? If so, are there any restrictions?

What goes into a criminal intelligence information system?

Only criminal intelligence information records/files are considered to be in the system’s criminal intelligence information database. However, the 1998 Bureau of Justice Assistance Policy Clarification expressly states that an inquiry to a criminal intelligence system may trigger searches of additional databases or information systems that result in the dissemination of information or intelligence from those other databases or systems; therefore, any criminal intelligence information that is disseminated must be clearly labeled to identify it as such.

Additional noncriminal intelligence information files/databases can be included in a criminal intelligence system.

Should an investigator enter every known or suspected crime with which he or she comes in contact?

No, there are several key reasons why all suspected crimes/criminals cannot be entered into a criminal intelligence information system: first, you must have an identified criminal subject (individual or organization); second, your analysis/evaluation of the available information must result in a determination that there is reasonable suspicion that the subject is engaging in an identifiable criminal activity or enterprise; and third, the criminal activity or enterprise identified must meet the project’s submission criteria (see 28 CFR §23.30(b)(1)–(3) for the types of criminal activity eligible to be submitted).

Can you clarify the database rules regarding retention and dissemination of information on “persons of interest” when no charges have been filed?

Generally, subjects—whether individuals or organizations—of criminal intelligence information are or have been involved in an active investigation. While there is no accepted definition of a “person of interest,” it is safe to say that all criminal intelligence information subjects who are individuals are “persons of interest” to law enforcement. On the other hand, many “persons of interest” in criminal investigations do not qualify as criminal subjects under 28 CFR Part 23 because the investigator cannot make the requisite reasonable suspicion determination.

How does 28 CFR Part 23 apply to a prison setting?

Generally speaking, correctional agencies do not collect and share criminal intelligence information. However, inmate and threat group information may be collected for offender management and officer safety purposes. Identified threat groups are usually not limited to criminal organizations, and the determination of a “threat” is not based on a determination of reasonable suspicion. Consequently, this type of information generally does not meet the criteria for criminal intelligence information and would not need to comply with the regulation. There may be instances where correctional investigative or intelligence undertakes the function of evaluating information for a determination of reasonable suspicion and either has a separate database that houses only criminal intelligence information or submits a record to a criminal intelligence project, such as a Regional Information Sharing Systems (RISS) project, but generally, 28 CFR Part 23 is too restrictive for broader correctional system needs.

Can parolees identified by a prison as members of a prison gang or criminal threat group be entered into an intelligence project’s criminal intelligence database, at least in a “temporary” file?

First, a criminal intelligence information submission requires that the criminal subject be currently involved in a criminal activity or enterprise. If the prison gang is a criminal organization and, based on a determination of reasonable suspicion, involved in current criminal activity and that gang is the subject of a criminal intelligence record, then the parolee can be included in a criminal intelligence system. Absent that circumstance, unless the parolee’s criminal activity is occurring outside of the prison, he or she cannot be entered into the criminal intelligence information system. Second, 28 CFR Part 23 does not allow for “temporary files” absent reasonable suspicion of involvement in a current activity or enterprise.

It should be noted that an individual’s status as an inmate, probationer, parolee, or registered sex offender is insufficient to support a criminal intelligence information submission on its own. There must be reasonable suspicion that the individual is currently involved in a definable criminal activity or enterprise to support a submission of criminal intelligence information.

How does 28 CFR Part 23 pertain to criminal gang information?

Criminal gangs are organizations subject to 28 CFR Part 23 if entered into a criminal intelligence database. Criminal gangs are often defined by certain attributes and activities under state law, and if that is the case, a project must follow that law in identifying a criminal gang. If not defined by law, a criminal gang must, at a minimum, be determined to be primarily or significantly involved in a definable criminal activity or enterprise that meets project submission criteria. Once a criminal gang has been identified and entered into the database, any individual identified as a member of that gang—again using state law criteria or, if there is no law, project-established criteria—can be entered into the criminal intelligence system as a criminal subject without individualized reasonable suspicion. Consequently, if the criminal gang were to go out of existence or its retention period were to expire without being validated for a new retention period, those members identified as criminal subjects by reason of their membership in the criminal gang would need to be purged from the database or individualized reasonable suspicion would need to be established.

This line of reasoning applies to any type of criminal organization and its members, employees, etc.

What is the relationship between fusion center privacy policies and 28 CFR Part 23?

The Global Advisory Committee, a U.S. Department of Justice advisory committee, issued fusion center and state, local, tribal, or territorial Privacy Policy Development Templates to assist agencies in the development of comprehensive privacy, civil rights, and civil liberties privacy protection policies that include references to 28 CFR Part 23 for criminal intelligence information. These documents can be found at www.it.ojp.gov.

How does the regulation apply to field intelligence liaison officers (FILOs)?

Can you explain the interaction of 28 CFR Part 23 with state laws that are more or less restrictive than 28 CFR Part 23?

State laws that are more restrictive than the regulation apply to a criminal intelligence system subject to the state law. If a state’s law is less restrictive or conflicts with the regulation, 28 CFR Part 23 governs that aspect of the operation of the system. (See King v. Smith, 392 U.S. 309 (1968)).

Information Gathering and Submission/Collection

How does a project maintain legal compliance in obtaining (gathering) information used to produce criminal intelligence information?

28 CFR Part 23 does not apply directly to the gathering of information by an investigative or intelligence agency but rather to a project’s collection of criminal intelligence information. The project has the responsibility to ensure that (1) criminal intelligence information it collects meets the reasonable suspicion standard (delegable to a submitting agency); (2) the information is relevant to the criminal activity or the identification of the criminal subject; (3) the information was not obtained in violation of applicable federal, state, or local laws or ordinances (delegable to a submitting agency); and (4) the information is labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials.

When an investigator makes a submission, 28 CFR Part 23 requires that it be labeled for level of sensitivity and level of confidence. What do these terms mean?

The “level of sensitivity” refers to how the intelligence information should be disseminated. Typically, the submitter sets a designation to classify how the information will be released. The following is an example of how a project may opt to set three levels of dissemination based on the sensitivity of the intelligence:

Open—disseminate the criminal intelligence file to the inquirer when there is a hit, with no further action required.

Release Agency Name Only—provide only the controlling agency name and contact information.

Restricted—do not disseminate the criminal intelligence file or even indicate that there has been a hit. Notify the controlling agency.

Projects will develop the levels of sensitivity and train all participating agencies as to the usage of each level.

The “level of confidence” gives the recipient an indication of how the submitter assesses the content of the file. Level of confidence is a two-part process:

“Source reliability” refers to the reliability of the source of the information.

“Content validity” refers to the accuracy or truthfulness of the information.

Most projects will establish a range for source reliability and content validity. The following are examples of those ranges:

Source Reliability:

Reliable—the reliability of the source is unquestioned or has been well tested in the past.

Usually Reliable—the source can usually be relied upon.

Unreliable—the reliability of the source has been sporadic in the past.

Unknown—the reliability of the source cannot be judged.

Content Validity:

Confirmed—information has been corroborated by an investigator or another reliable source.

Probable—the information is consistent with past accounts.

Doubtful—the information is inconsistent with past accounts.

Cannot be judged—the information cannot be judged.

These codes allow the inquirer to assess the value of the file. For example, if an inquirer gets a hit and reads a file from a Regional Information Sharing Systems (RISS) Center that has source reliability and content validity codes of 1 or 2, using the above examples, then the recipient should deduce this to be very solid intelligence.

It should be noted that a combination of source reliability “unreliable” or “unknown” and content validity “doubtful” or “cannot be judged” would not meet the 28 CFR Part 23 reasonable suspicion standard and the information should not be entered into a criminal intelligence database.

Can the names of individuals or organizations not reasonably suspected of involvement in criminal activity be included in a criminal intelligence database?

Yes. The 1998 Bureau of Justice Assistance Policy Clarification of 28 CFR Part 23 allows for the inclusion of such information as “noncriminal identifying information” if it is relevant to the identification of a criminal subject or the criminal activity. However, this type of information can be included only under the following circumstances:

Appropriate disclaimers or labels must accompany the information noting that it is strictly identifying information carrying no criminal connotation;

Identifying information may not be used as an independent basis to meet the requirement of reasonable suspicion of involvement in criminal activity necessary to create a record in a criminal intelligence system; and

The individual who is the criminal subject identified by this information must meet all requirements of 28 CFR Part 23.

The noncriminal identifying information may be added to an existing or new record of a criminal subject in the database. Also, note that noncriminal identifying information that pertains to a subject’s political, religious, or social views, associations, or activities can be entered only if it directly relates to the criminal activity or involvement that the subject is reasonably suspected of being engaged in.

Can criminal intelligence information be submitted based solely on an individual’s membership or affiliation with a group that espouses violent acts against the government or individuals?

Espousing violent acts, with few exceptions, is protected speech that, standing alone, is not sufficient to make a group a criminal organization. Consequently, the individual cannot be identified as a criminal subject.

Can individuals identified as sovereign citizens or holding sovereign citizen beliefs be submitted to a criminal intelligence database?

No. Holding sovereign citizen (or other non-mainstream) beliefs is protected under the First Amendment. It is only when those beliefs result in criminal conduct or activity, including criminal threats, that there is a valid law enforcement purpose for gathering information on that individual and, if reasonable suspicion is established, submitting/collecting criminal intelligence information.

What is the difference between reasonable suspicion and probable cause?

Reasonable suspicion, as defined in 28 CFR Part 23, is the standard for making a submission of criminal intelligence information to a criminal intelligence information database. Probable cause is a higher standard that applies to searches, arrests, and prosecutions in criminal courts. However it is expressly defined in applicable law, it essentially means there is a reasonable belief that something is more likely than not based on articulable facts.

With the development of permissible uses for medical marijuana, will compliance be affected on historical narcotic-related intelligence?

User Access to and Use of Criminal Intelligence Information

When can an investigator query a criminal intelligence system?

There is no threshold to make an inquiry other than a valid law enforcement purpose. Reasonable suspicion does not need to exist to make an inquiry. The criteria in the regulation is that information will be disseminated only in response to an inquiry when there is a need to know and a right to know the information in the performance of a law enforcement activity.

If there is a hit on an inquiry and criminal intelligence is disseminated, what are the responsibilities of the recipient?

The recipient must agree to treat the disseminated criminal intelligence in a manner consistent with the operating principles established by 28 CFR Part 23 and the project as reflected in the project’s operating policies and procedures.

If a federal agency participates in a state, local, tribal, or territorial criminal intelligence information system, is the agency subject to the 28 CFR Part 23 operating principles?

A federal agency participating in a criminal intelligence information system subject to 28 CFR Part 23 has to follow project-established participation requirements based on the regulation’s operating principles in the same manner as any other participating or member agency.

U.S. Department of Justice, Office of Justice Programs, legal opinions hold that federal and state homeland security agencies engage in “law enforcement activity,” as that term is used in 28 CFR §23.20(e), in describing authorized recipients of criminal intelligence information. If your agency and your job function fall within the right to know and need to know definitions of your fusion center or other intelligence project for its criminal intelligence system, your agency and you (if you are an authorized user) may access criminal intelligence information as a member or participant in the intelligence project.

Can fire service and other non-law enforcement first responders participate in a criminal intelligence system?

Generally, fire service and other non-law enforcement or homeland security agencies are not eligible to submit and access criminal intelligence information, except to the extent that their personnel have law enforcement authority, such as an arson investigator, and a need to know the information in the performance of their job function. However, a fire service agency and its personnel can receive an intelligence assessment related to the agency’s mission that does not identify specific criminal subjects and is based, in whole or in part, on an analysis of criminal intelligence information.

If an agency’s criminal intelligence system does not comply with the regulation, would its investigators who have been trained in 28 CFR Part 23 be restricted from accessing other agencies’ 28 CFR Part 23-compliant systems?

That would be a matter of the other agencies’ user participation policies.

How many days can you keep open files?

Source Agency Documentation

Can you explain archival of source documentation, how agencies are storing information, and how storing information applies to holding information past five years (if not actively shared), etc.? Are there any case studies of liability and how it can be mitigated?

Source documentation (generally an investigative or case file) that supports a criminal intelligence record submission must be maintained by the agency that submits the record to the project. This responsibility ends when the intelligence record is purged from the system. Source documentation may be kept in whatever format the agency would normally keep such information; it is not part of a criminal intelligence record. The source documentation is not otherwise subject to the regulation, and its disposition is a matter of agency policy and applicable state and/or local record retention, storage, and purge requirements. We are not aware of any case studies of liability for improper record retention.

Storage and Retention, Including Security

What security requirements must be met for the maintenance and sharing of criminal intelligence files in order to be compliant with 28 CFR Part 23?

Once a decision is made to store and maintain a criminal intelligence file/record, it is entered into the criminal intelligence system (paper or electronic). The project must have the following safeguards in place:

Additional security requirements, including: (1) where appropriate, effective and technologically advanced computer software and hardware designs to prevent unauthorized access to information in the system; (2) access to facilities, operating environment, and documentation is restricted to organizations and personnel authorized by the project; (3) information is stored in the system in a manner such that it cannot be modified, destroyed, accessed, or purged without authorization; (4) procedures to protect criminal intelligence information from unauthorized access, theft, sabotage, fire, flood, or other natural or manmade disaster; and (5) rules and regulations based on good cause for implementing the project’s authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system (28 CFR §23.20(g)(1)–(5)).

Procedures to assure that the information retained has relevancy and importance, including periodic review of the information and the destruction of any information that is misleading, obsolete, or otherwise unreliable. Any information retained as a result of the review must reflect the name of the reviewer, date of review, and explanation of the decision to retain (28 CFR §23.20(h)).

A system for the review and validation or purge of each submission to the system prior to the expiration of its retention period (up to 5 years) (28 CFR §23.20(h)).

What type(s) of intelligence can be stored?

How can an agency reduce its liability through proper management of intelligence files? What are examples of proper classification of materials in an intelligence file? What is the best method to demonstrate that the intelligence unit has done its best to ensure privacy?

Agencies should consider implementing a number of different features that address training, policy adoption and implementation, supervision, and oversight. Specific items might include annual training requirements, staff-written acknowledgement of agency policy, and regular system audits and inspections of member agencies and users. Proper management of intelligence files involves agency classification of information and ensuring that there is a valid law enforcement purpose for the collection of all information and intelligence (a criminal nexus or authorized purpose, such as a background check or deconfliction). To demonstrate your commitment to privacy, consider adopting a comprehensive privacy policy and posting it on your Web site and entering into a dialogue with citizens and the advocacy community about your agency’s mission and goals.

Are there any recent changes regarding file retention?

No. Criminal intelligence information records continue to be subject to a retention period of up to five years, as established by the intelligence project, at the end of which the information must either be purged from the system or validated for a new retention period in accordance with the regulation and the project operating policy.

Do records need to be maintained in the department records management system (RMS) or contained in a separate database?

Supporting documentation can be in an RMS. No separate database or file system is required for criminal intelligence information, providing it can be labeled as criminal intelligence information to distinguish it from other information and the regulation’s provisions can be appropriately implemented.

Dissemination

What are the key requirements related to dissemination (sharing) of criminal intelligence information?

Key provisions related to dissemination include:

Criminal intelligence information can only be disseminated when there is a need to know and a right to know the information in the performance of a law enforcement activity (28 CFR §23.20(e)).

Recipients of criminal intelligence information must agree to follow procedures regarding receipt, maintenance, security, and further dissemination of the information that are consistent with the operating principles set forth in the regulation (28 CFR §23.20(f)(1)). However, an assessment of the information (with no personally identifiable information) can be disseminated to a government official or any other individual when necessary to avoid imminent danger to life or property (28 CFR §23.20(f)(2)).

The project must maintain a record of who has been given information, the reason for the release, and the date of each dissemination outside the project (28 CFR §23.20(g)).

Information that is disseminated must be labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials (28 CFR §23.20(g)).

What is the most efficient way to share information between agencies while maintaining privacy concerning the information?

Efficient dissemination that protects privacy includes (1) use of direct remote terminal access with appropriate audit trails (who, what, when, and why) and adoption of the additional security requirements (28 CFR §23.20(i)) outlined in the 1993 Regulation Commentary and (2) use of encryption in the exchange of criminal intelligence information.

When is it allowed to share a criminal intelligence database with another project’s criminal intelligence database?

In addition to the key provisions noted above, there should be an appropriate information sharing agreement between the projects. One example of the type of sharing is when a state, local, tribal, or territorial project’s criminal intelligence database is a node on a Regional Information Sharing Systems (RISS) project and its entire database is periodically downloaded to RISSIntel. This reduces the need for multiple searches and facilitates broader sharing of criminal intelligence information.

Validation/Purge

How long can a file stay in a criminal intelligence system, and what happens at the end of any designated time frame?

The maximum retention period is five years. A record must be either purged at the end of the established retention period or undergo a review and validation process before the end of the retention period. If a record is purged, then it must be removed from the criminal intelligence system. If a record is reviewed and validated, it will receive a new retention period of up to five years. In order for a record to be validated, the submitting agency must determine that the subject is still reasonably suspected of involvement in current criminal activity. In other words, the submitting agency must determine that the record continues to meet the 28 CFR Part 23 submission criteria. A record may be validated at any time during its retention period; however, simply updating the identifying information about the subject during the retention period is not enough, by itself, to indicate that the subject is still reasonably suspected of involvement in current criminal activity.

If there is an active investigation on a criminal subject, do you still have to purge the criminal intelligence record or file on that subject at the end of the retention period?

Submission or maintenance of a criminal intelligence record does not depend upon whether there is an investigation or whether an investigation is open or closed. At the end of the retention period, it is up to the submitter to validate the information (and update the record as needed) based on reasonable suspicion of the subject’s current or continuing involvement in an identified criminal activity or enterprise that meets project submission requirements. If the record cannot be validated for a new retention period, it must be purged from the system.

Does there need to be a purge system?

Yes, every criminal intelligence information system subject to 28 CFR Part 23 must have a purge policy and procedure in order to comply with the regulation. It can be as simple as an automatic purge from the system, with no notice to the submitter, at the end of the project’s retention period.

What purging procedures should be followed when maintaining 28 CFR Part 23 compliance?

When criminal intelligence information is purged from a 28 CFR Part 23-compliant database, the intelligence project must ensure that the criminal intelligence record can no longer be disseminated (shared) outside of the project; i.e., it is removed from an electronic or paper system such that it cannot be disseminated from the system.

When gang or other criminal intelligence information records are purged, do they have to be physically destroyed or can they just be removed from the rest of the files and physically stored in an inactive status?

Although the regulation does not provide for an “inactive” status, it requires the project to remove the record from the system so that it can no longer be shared outside the project or return it to the submitting agency. Generally, projects either destroy the record, return it to the submitter, or keep only identifier information and delete the substance of the record (data minimization). The key is to ensure that the record is not searchable or accessible as a criminal intelligence information record.

If a criminal subject is sentenced to prison, does the retention period continue to run?

Protecting Privacy, Civil Rights, and Civil Liberties

Considering the increased public awareness, how should the law enforcement community respond to privacy concerns?

Law enforcement recognizes that the public is concerned about what types of and how much information is being collected, as well as when and how that information is being used and shared. The events of September 11, 2001, have made the average American aware that law enforcement must collect and share information and intelligence. Conversely, the public is concerned about the scope of collecting and sharing information and its impact on civil liberties and privacy. The National Criminal Intelligence Sharing Plan (NCISP) offers an approach to protecting civil liberties by confining, structuring, and checking discretion through the establishment of sound policies, systematic training, and vigorous oversight. Also, law enforcement agencies should be prepared to answer the public’s questions on law enforcement information practices and be ready to show the public that they are very concerned with the rights of individuals and the need to protect the confidentiality of information.

How does the protection of civil rights pertain to criminal intelligence information?

Civil rights are the rights and privileges of citizenship and equal protection that the government is constitutionally bound to guarantee to all citizens regardless of race, religion, gender, or other characteristic unrelated to the worth of the individual. The Fourteenth Amendment to the U.S. Constitution establishes that the rights to due process and equal protection guaranteed under the law apply equally to the states. These rights can be implicated if criminal intelligence information is based on protected characteristics through such activities as racial profiling or if erroneous information is collected and shared that leads to a loss of the rights of citizenship. Consequently, 28 CFR Part 23 prohibits the inclusion of information about the political, religious, or social views, associations, or activities of any individual or any organization unless such information directly relates to the criminal conduct or activity.

Religious affiliation information can only be included in a criminal intelligence file/record if it directly relates to the subject’s criminal activity. For example, the use of a particular religious facility to plan criminal activity or to launder illegally obtained funds can be included in a record of the related criminal activity.

Is data in an intelligence file subject to an expungement order when that intelligence led to a criminal case and the defendant/petitioner has obtained an expungement order all through federal or state courts?

If the expungement order includes all law enforcement records and you receive notice of the order, then yes, the record needs to be purged and the project needs to notify all recipients of the information of the change in the status of the record.

Agency Liability

Who is responsible for compliance with 28 CFR Part 23?

28 CFR Part 23 requires that either an organizational unit within an agency or an organization that operates the criminal intelligence system on behalf of multiple organizations or jurisdictions will be ultimately responsible for compliance with the regulation. This unit or organization is referred to as the intelligence project. The project develops operating policies and procedures for the criminal intelligence system and conducts audits and inspections to ensure participating agency compliance.

Are there examples of agency liability for improper information sharing?

One example that actually happened was a multistate intelligence project subject to 28 CFR Part 23 that delegated its responsibility to establish the existence of reasonable suspicion to member agencies but failed to provide required training to the agencies on determining reasonable suspicion and did not carry out the routine inspection and audit procedures that were required by both the regulation and project policy and procedure (28 CFR §23.20(d)). The result was that individuals were improperly identified as criminal subjects, and the project was unaware of this pattern of violations of the regulation. A major lawsuit followed, agencies were subject to adverse publicity and loss of public and governmental confidence, employees were disciplined, and legislative restrictions were considered. The project implemented aggressive steps to identify and address the failures.

Aside from grant termination and future funding issues, what are the legal ramifications for noncompliance with 28 CFR Part 23?

Legal ramifications may include litigation and a consent decree or limitations or restrictions on collection methods (such as the recent U.S. Supreme Court ruling requiring a warrant for cell phone searches). Other ramifications may include fines of up to $10,000 for each instance of noncompliance, as provided by the Crime Control Act; personal or agency embarrassment; loss of public confidence; loss of authority to operate a criminal intelligence system; and even criminal charges.

What are some of the most common mistakes that can result in agency liability?

One common mistake is agency personnel accessing information and intelligence who do not have a “need to know” the information, including accessing information and intelligence out of curiosity or for personal purposes

Another common mistake is, for 28 CFR Part 23, an agency’s failure to properly train personnel and participating agencies, to audit records to ensure that the information contained is relevant when submitted and continues to be relevant, and to purge or validate criminal intelligence information in a timely manner.

How can the project protect itself from liability?

The project is required to promulgate rules and regulations based on good cause for implementing its authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system (28 CFR §23.20(g)(5)) and to adopt sanctions for unauthorized access, utilization, or disclosure of information contained in the system (28 CFR §23.20(m)). Sanctions might include suspension or expulsion of an agency or user from participation in the project, retraining, and referral for prosecution for mishandling official government information.

Requests/Demands for Criminal Intelligence Information

What are the policies regarding requests for the information within the file? If someone who has a record in the system requests to see it, are we required to share that information with them?

When a participating agency in a criminal intelligence information system submits a record/file on a criminal subject, it is usually agreeing to share the information with other participating agencies with a need and right to know the information. However, access to records/files can be restricted, even for authorized system users, through the use of the project’s sensitivity codes; for example, by providing that only a notification of a hit occur (with contact information provided) or that only the submitting agency be notified of a hit. In that way, the submitting agency can ultimately determine whether to contact the inquirer and, if so, what information would be appropriate and necessary to share.

Dissemination or sharing of information in a criminal intelligence information database is limited to recipients who have a “… need and right to know the information in the performance of a law enforcement activity” (28 CFR §23.20(e)). Consequently, the subject of a record does not qualify to receive the information from a system that is subject to the regulation. However, if the system voluntarily complies with the regulation, state public records laws govern the right of a subject of a record/file to access the information. Generally, such laws restrict access (through an exception or exemption) because the record/file qualifies as a law enforcement record or an investigative or intelligence file.

How do the federal Freedom of Information Act and state open records laws pertain to 28 CFR Part 23-compliant systems?

The federal Freedom of Information Act is not applicable to state or local criminal intelligence information systems unless made applicable by state law. However, each state (and some local jurisdictions) has public access or open records statutes and other laws that govern access to and release of public agency information to the public. While these laws apply to criminal intelligence information maintained by a state or local agency in that state, 28 CFR Part 23 limits the dissemination of criminal intelligence information to individuals with a “need to know” the information in agencies that have a “right to know” the information, as these terms are defined by the project. Consequently, in projects that are subject to the regulation as a matter of law, 28 CFR Part 23 prohibits the dissemination or release of the information by the project on a voluntary basis or involuntarily, even if the information is otherwise subject to release under state law (see King v. Smith, 392 U.S. 309 (1968)).

Are criminal intelligence records subject to discovery or open to court proceedings?

Such records are occasionally the subject of a discovery request but have, without exception to date, been determined to be protected by the restrictions of the regulation or by state public records laws. However, in training on 28 CFR Part 23, we suggest that no official actions be taken by law enforcement (search or arrest warrant, penalty enhancement, etc.) based on an intelligence file/record but rather on the information in an investigative file or other underlying documentation.

Records on Juveniles

Should criminal intelligence information regarding juveniles be treated differently from records on adults? Are there specific guidelines as to how long such information can stay in a compliant database?

There are no 28 CFR Part 23 operating policies unique to juvenile criminal subjects. We are aware of only two state laws (Wisconsin and California) that potentially impact how criminal intelligence information on juveniles is handled. Neither affects retention policy.

Are there recommended SOPs for interviewing juveniles?

The International Association of Chiefs of Police, with funding from the Office of Juvenile Justice and Delinquency Prevention, has established a Juvenile Justice Training and Technical Assistance Program. The program provides training and guidance on interviewing juveniles. See http://www.theiacp.org/juvenilejustice.

Use of Social Media

Are there 28 CFR Part 23 compliance issues related to social media searches of subjects involved in criminal investigations?

There are no unique 28 CFR Part 23 provisions related to social media searches. However, intelligence projects need to be mindful that inclusion of social media links in criminal intelligence records can improperly incorporate information identifying individuals who are not criminal subjects.

28 CFR Part 23 and Suspicious Activity Reporting

Can criminal subjects be entered into a criminal intelligence system based on the “reasonably indicative” threshold for a suspicious activity report (SAR) rather than reasonable suspicion?

No. SARs and information sharing environment-suspicious activity reports (ISE-SARs) are not criminal intelligence information because they do not need to meet the “reasonable suspicion” standard for criminal intelligence information.

Do only the 16 defined behaviors for terrorism-related suspicious activity qualify for entering a subject based on reasonably indicative behavior?

Suspicious activity reports (SARs) determined to be terrorism-related under the two-part vetting process (ISE-SARs) detailed in the Information Sharing Environment-Suspicious Activity Reporting (ISE-SAR) Functional Standard must (1) meet one or more of 16 terrorism-related pre-operational behaviors and (2) considering all the available context, facts, and circumstances of the SAR, be determined by a trained analyst or investigator to have a potential nexus to terrorism.

What are the specific requirements for submission of a suspicious activity report (SAR) to a multiagency task force?

A SAR or information sharing environment-suspicious activity report (ISE-SAR) that is determined to meet criminal intelligence information submission standards, including a determination of reasonable suspicion, can also be submitted to a criminal intelligence system. The Nationwide SAR Initiative (NSI) provides for SARs to be submitted to fusion centers or directly to eGuardian—but not to multiagency task forces other than Joint Terrorism Task Forces. Other multiagency task forces may submit or receive ISE-SARs as participants in the NSI.

Contact Criminal Intelligence Training Staff:

Office Hours:

Training and Technical Assistance

Online training is available for agencies concerned with protecting privacy, civil rights, and civil liberties or to learn how to comply with the 28 CFR Part 23 guidelines.
► More Information
► Training Schedule

Practical technical assistance is available at no cost to law enforcement agencies.
► More Information